Today I got an enterprise Internet connection together with a Sagemcom router. The first time it is connected to the Internet, it will spend 20 minutes upgrading the firmware.

I would really like to capture all the traffic for this upgrade using a CentOS host with two NIC's, with the purpose to figure how upgrades are authenticated. E.g. with a secret user account and passphrase?

If I want to put the CentOS host between the Internet connection and the router:

Question

How do I configure CentOS, so all traffic going in at eth0 goes out at eth1?

Is tcpdump -s0 -A -w upgrade.pcap -nni eth0 correct, if I want to use Wireshark later on to inspect the packages?

2 Answers
2

You could setup eth0 and eth1 as bridge and assuming eth0 is connected to the Sagemcom and eth1 is connected to the internet connection. The traffic would pass through the bridge, then you could run a TCP dump on the bridge and capture all of the traffic.

First you'd set your CentOS box up as a router, which basically involves enabling packet forwarding (usually a machine is the destination), if you want to let traffic pass through.

The simple part of that is changing /etc/sysctl.conf.
Change

net.ipv4.ip_forward = 0 to 1.

Then you'd set eth0 in one network, eth1 in the other, and add a route between the networks.

Configuring other things like firewalls or selinux is up to you.

I'd use tcpdump -s0 -n host < router IP > -w upgrade.pcap -i any
Though some of that might be redundant, for example, if you're listening for traffic going to and from the router IP, you shouldn't need to specify much in the way of interfaces, I believe.